Connect a Firewalled Private Cloud to RightScale

Table of Contents

Overview

The RightLink management agent makes outbound HTTP(S) connections to the RightScale infrastructure in order to receive configuration instructions. Optional RightScale features such as monitoring and frozen package repositories make outbound connections using other protocols.

When RightLink resides behind a firewall that performs egress filtering, the firewall must be configured to allow this outbound traffic.

Prerequisites

This information applies to the following environment:

Private clouds whose API endpoint resides behind a firewall

RightScale management requests sent to private cloud APIs

This information does not apply to:

Compute instances that run inside private clouds

Please review the firewall rules you will need to set up in order to enable communication between the RightScale platform and private clouds, end-users, and design asset repositories located inside the firewall as specified in Firewall Configuration Ruleset.

Goal

After completing this how-to, you will have configured your network firewall to allow API requests to your private cloud. You will be able to register your cloud with the RightScale platform, add your cloud to one or more RightScale accounts, and use our UI or API to make cloud-management requests.

Procedure

Note RightScale-Operated Networks

​

RightScale operates network infrastructure in several geographical regions to provide fault tolerance. Your instances generally communicate with infrastructure in a nearby geographical region, but may be redirected to remote regions during network or cloud outages.

Network/CIDR

Location

Description

54.225.248.128/27

US-East

us-3 cluster and island1 resources

54.244.88.96/27

US-West

us-4 cluster and island10 resources

54.86.63.128/26

US-East

additional island1 resources

54.187.254.128/26

US-West

additional island10 resources

54.217.243.218/3254.217.243.226/32

Europe

island2 resources. Can be removed after April 30, 2015.

Only required for workloads in AWS EU-Frankfurt and AWS EU-Ireland.

54.246.247.16/28

Europe

Only required for workloads in AWS EU-West and EU-Central.

54.248.220.136/32

54.248.220.137/32

Japan

island8 resources. Can be removed after April 30 2015.

Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney

54.248.220.128/28

Japan

Only required for workloads in AWS AP-Tokyo and AWS AP-Sydney.

54.251.98.164/32

54.251.106.120/32

Singapore

island5 resources. Can be removed after April 30 2015.

Only required for workloads in AWS AP-Singapore.

54.255.255.208/28

Singapore

Only required for workloads in AWS AP-Singapore.

Enable Cloud API Requests

Your private cloud's API is normally exposed as an HTTPS endpoint on port tcp/443 though the protocol and port can change depending on how you have configured the cloud. RightScale must be able to make API requests to this endpoint from each RightScale-operated network range.

Assuming that your cloud is listening on port 443, you will need to create the following ingress rules:

​

Source Network/CIDR

Ports

Purpose

54.225.248.128/27

configurable (usually tcp/443)

Receive API requests from us-3

54.244.88.96/27

configurable (usually tcp/443)

Receive API requestsfrom us-4

54.86.63.128/26

configurable (usually tcp/443)

Receive API requestsfrom us-3

54.187.254.128/26

configurable (usually tcp/443)

Receive API requestsfrom us-4

54.246.247.16/28

configurable (usually tcp/443)

Reserved for expansion

54.255.255.208/28

configurable (usually tcp/443)

Reserved for expansion

NOTE: No Ingress required for VMware vSphere Clouds or AWS VPC

What's Next

Your firewall has been configured to allow RightScale to make API requests. You can now connect it to RightScale and add it to one or more accounts.